KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Potential CA Policy Bypass By Privileged Accounts Via Private Browser Sessions

Query

**Detecting potential CA policy bypass by privileged accounts via private browser sessions**

When two accounts from the same Entra tenant are signed into the same browser app, the device authentication (the PRT) belonging to the primary account is implicitly applied to the second account. That means the second account can inherit device-based Conditional Access, effectively bypassing intended device checks and weakening protection for privileged accounts.

Based on this behavior, I created a KQL query that detects any account assigned a privileged role signing in with private/incognito browser sessions on a device where potentially another account is already signed in โ€” a pattern that helps to detect the mentioned PRT/device-trust bypass. Even lower-privileged accounts are concerning when they browse in private mode so I am not filtering by just admin ones. However, to target specific roles, add:
| ๐˜ธ๐˜ฉ๐˜ฆ๐˜ณ๐˜ฆ ๐˜ต๐˜ฐ๐˜ด๐˜ต๐˜ณ๐˜ช๐˜ฏ๐˜จ(๐˜ˆ๐˜ด๐˜ด๐˜ช๐˜จ๐˜ฏ๐˜ฆ๐˜ฅ๐˜™๐˜ฐ๐˜ญ๐˜ฆ๐˜ด) ๐˜ค๐˜ฐ๐˜ฏ๐˜ต๐˜ข๐˜ช๐˜ฏ๐˜ด "๐˜ข๐˜ฅ๐˜ฎ๐˜ช๐˜ฏ"

```
DeviceProcessEvents
|where isnotempty(AccountUpn) and FileName in~ ("chrome.exe","msedge.exe","firefox.exe")
| extend Navigation_Mode= iif(ProcessCommandLine has_any("--incognito","--inprivate","-private","-private-window"),"๐ŸšจPrivate","Normal")
| join kind=inner (IdentityInfo) on $left.AccountUpn == $right.AccountUpn
| summarize Navigation_Mode=make_set(Navigation_Mode),make_set(AccountUpn),Distinct_Upn=dcount(AccountUpn),AssignedRoles=make_set(AssignedRoles),Potential_Case=dcount(Navigation_Mode) by DeviceName
| where Potential_Case > 1 and Distinct_Upn > 1 and (tostring(AssignedRoles) != "[]")
//| where tostring(AssignedRoles) contains "admin" 
```

Explanation

This KQL query is designed to detect potential security risks related to Conditional Access policy bypasses by privileged accounts using private or incognito browser sessions. Here's a simplified explanation of what the query does:

  1. Data Source: It starts by looking at device process events, specifically focusing on web browsers like Chrome, Edge, and Firefox.

  2. Private Browsing Detection: It checks if these browsers are running in private or incognito mode by looking for specific command-line arguments associated with private browsing.

  3. User Information: The query joins this data with identity information to get details about the user accounts involved.

  4. Summarization: It summarizes the data to identify devices where:

    • Multiple user accounts are signed in.
    • At least one of these accounts is using a private browsing session.
    • There are distinct user accounts with assigned roles.

  5. Potential Security Risk: It flags cases where more than one account is involved, and at least one account has assigned roles, indicating a potential bypass of device-based Conditional Access checks.

  6. Role Filtering: Although the query can be adjusted to focus specifically on admin roles, it currently considers all roles to identify any potential security risks.

In essence, this query helps identify situations where a privileged account might bypass security policies by using private browsing sessions, potentially weakening the security posture of the organization.

Details

Sergio Albea profile picture

Sergio Albea

Released: September 28, 2025

Tables

DeviceProcessEventsIdentityInfo

Keywords

DeviceProcessEventsAccountUpnFileNameProcessCommandLineIdentityInfoDeviceNameAssignedRoles

Operators

whereisnotemptyin~extendiifhas_anyjoinonsummarizemake_setdcountby!=contains

Actions